Today’s organizations are besieged by security threats.

It's no secret — there's a cyber war raging out there. Like kids in a candy store, cybercriminals can’t wait to get their hands on confidential information. And as attacks grow more advanced, it's increasingly important for organizations to have flexible, scalable and collaborative security tools in place to meet charging security requirements. Security information and event management (SIEM) tools provide a powerful way for organizations to prevent, detect and respond to the latest threats before they can cause damage. But it is important to choose the right SIEM solution.

Detecting subtle differences in the environment — and understanding the context of security events — requires the power of advanced analytics. Security teams need an analytics engine that can match user behavior with log events, network flows, threat intelligence, vulnerabilities and business context. This can help them find attackers lurking within the organization, as well as prioritize issues for remediation.

In addition, the right security tools collect insights from beyond your organization. They empower your security teams to collaborate with experts from around the world, incorporating new applications and third-party products to quickly adapt to changing needs.

The integrated security platform should enable you to:

Scale out

Expand the deployment over time as business grows, and as the threat environment becomes increasingly hostile.

Scale up

Add event processing power and low-cost storage that can retain data for months, years or even decades.

Scale for cloud

Use on-premises infrastructure to collect security information from the cloud, deploy a hybrid.

Scale functionality

Deploy new capabilities through integrated risk management, vulnerability management, incident forensics, incident response and third-party applications.

Scale through collaboration

Serious data breaches, major attacks and new vulnerabilities.

This white paper explains how IBM® QRadar® Security Intelligence Platform, powered by IBM Sense Analytics Engine™, can meet all of these scalability needs. Whether you want to support a growing organization, add new capabilities or expand storage capacity and performance,

IBM offers an integrated platform that can be deployed and expanded quickly, easily and cost-effectively. Clients can start with a single appliance solution handling less than 10,000 log events per second, and grow it to support up to one billion events.

The state of the security landscape

The unfortunate truth is that data breaches have increased in both frequency and cost. In a survey of organizations worldwide, the Ponemon Institute found that the average total cost of a data breach increased by 23 percent over a two-year period to USD 3.79 million.

Meanwhile, IT organizations have limited budgets. They must deploy more effective prevention, detection and response capabilities in the most cost-effective manner possible. Rather than deploying another point solution, organizations need an integrated platform that can provide out-of-the-box security intelligence with advanced analytics. They must also be able to expand the platform by quickly adding new applications that conquer the latest security threats, without having to wait for the next product release.

Protection for today and tomorrow

IBM QRadar provides a fast, easy, cost-effective way to meet your changing needs for security intelligence and advanced analytics — without the cost and complexity of disparate compliance reporting, application monitoring and vulnerability scanning products. IBM QRadar offers integrated capabilities for log management, SIEM, data storage, incident forensics, full-packet capture, risk and vulnerability management, and incident response.

Featuring a highly scalable architecture, IBM QRadar is ideal for growing organizations that seek maximum security and compliance. Organizations can begin with a small, midsized or large deployment and add new processing or functional capabilities on the fly. Some modules are even pre-installed, enabling new capabilities to be accessed through a simple license key activation. Plus, IBM QRadar unifies all functions within the same integrated, intuitive, web-based interface.

IBM QRadar also scales through integration with other IBM and third-party products. It enables security teams to collaboratively take action against threats by integrating IBM X-Force® Threat Intelligence feeds, as well as new, approved applications from the IBM Security App Exchange.

Real-time and historical visiblity

IBM QRadar with Sense Analytics is designed to monitor, correlate and store large volumes of data in real time. With its inherently scalable architecture, there is no arbitrary limit on the volumes the platform can support. Organizations use IBM QRadar in real-world deployments to process more than one billion events per second.

With advanced, state-based analytics, IBM QRadar transforms raw security data into meaningful insights. Correlation can be performed both locally and globally, and can include questionable events that happened months ago. It helps security teams detect potentially malicious activity, including behavioral changes that deviate from regular patterns, anomalies in network traffic (such as new traffic or traffic that suddenly ceases), and any user or asset activities that exceed a defined threshold. IBM QRadar can also ingest the latest threat intelligence data from the IBM X-Force Exchange to detect emerging threats from across the globe, and generate alerts to help your security teams take action.

Search performance

As the size of a deployment grows, IBM QRadar has the processing power to enable rapid searches, and to analyze and report on security data spread across multiple locations. And with today's advanced threats, speed is a critical requirement for threat management. IBM QRadar provides high-performance indexing capabilities for extremely fast searches from within an intuitive user interface. Plus, IBM QRadar Data Nodes support cost-effective scalability through the addition of long-term data storage and expanded search processing capacity.

Scale out, from small to large

1. All-in-one deployments
2. Distributed enviroments
3. SIEM solution
4. Routers, switches and other network devices exporting event flow data
5. Firewall
6. IDS
7. QFlow collection on passive tap

With IBM QRadar, organizations can easily expand the size and breadth of a deployment and upgrade to the newest product releases. No intrusive architectural changes, "rip-and-replace" migrations or extensive professional services engagements are required to keep pace with growing security needs.

IBM QRadar provides organizations with an incremental deployment approach. Security teams can begin with a single, all-in-one turnkey appliance and grow it over time into a highly distributed, console-based command center by adding multiple event and flow processors, collectors and data nodes. In addition, IBM QRadar QFlow Collector can be added for application-layer (Layer 7) visibility

8. Flow processor
9. QFlow collector
10. Event processor
11. Data node
12. Layer 4 NetFlow for external flow services
13. Layer 7 data analysis through SPAN or tap
14. Collection of log events from network and security infrastructure


using deep-packet inspection technology—even across virtualized and cloud deployments. The store-and-forward collectors can be deployed wherever required to support evolving network requirements and accommodate temporary interruptions in service.

Because IBM QRadar functions are built upon a common architecture, database and user interface, security teams can easily scale out their existing deployments and access new capabilities from within the existing interface. Intelligent automation also means that product upgrades are completely transparent, so staff can focus on more strategic activities.

Scale up for speed and capacity

1. Multiple nodes "snapped in"as needed
2. SIEM solution
3. Event processor
4. QFlow collection on passive tap
5. Servers
6. Routers

One of the biggest challenges organizations face today is the need to keep more and more security data available for quick analysis — for months, or even years, to help boost the storage capacity and analytical processing performance of IBM QRadar deployments, organizations can use IBM QRadar Data Nodes.

7. Switches
8. IDS
9. Firewall
10. Laptop
11. Deployed in the cloud


Here's how they work. IBM QRadar event and flow processors store data and conduct searches on that data. IBM QRadar Data Nodes can then be added directly to those IBM QRadar event and flow processors. IBM QRadar Data Nodes receive and store events and flows, and they automatically balance search performance for query operations.

Scale for cloud deployments

IBM QRadar also scales to support a variety of cloud-based deployment models. For example, IBM QRadar can collect security information from cloud-based applications and integrate it with your on-premises data for comprehensive insights. The IBM QRadar management console and event and flow processors all remain on-premises, while application-specific IBM QRadar modules transfer events and flows in real time from the cloud workload. As a result, you have global visibility across the entire environment.

Alternatively, IBM QRadar can collect, analyze and store data from the cloud in the cloud. In this hybrid environment, IBM QRadar event processors and flow collectors are deployed in the cloud, while the management console and event and flow processors remain on-premises. Data is transferred in real time through a secure connection to your data center for consolidation and analysis. Again, you get a complete picture of your security posture across on-premises and cloud.

In addition, IBM QRadar can scale and be delivered from the cloud. For this type of deployment, IBM QRadar is installed and configured in a cloud infrastructure, such as IBM SoftLayer®. IBM QRadar event and flow collectors reside on-premises, while event processors, flow processors and the master console reside in the cloud. Event and flow data from the on-premises workload is forwarded to IBM QRadar in the cloud — in real time, through a secure channel, for consolidation and analysis.

IBM QRadar can also be deployed in the cloud and managed as a service by IBM. Called IBM Security Intelligence on Cloud, this solution can help address gaps in security skills and staff, and provide you with more predictable costs. It helps you move from a model based on capital expenditures to one based on operating expenses.

Scale functionality within the same interface

In addition to expanding the size, speed and capacity of a SIEM deployment, organizations can also scale IBM QRadar along another dimension — functionality. This provides them with another way to get more value from their existing investment. Some key cap

Risk management

For collecting configuration and topology data to proactively identify risks, simulate offenses and take corrective action before an attack occurs 

IBM QRadar Risk Manager can be added onto an existing QRadar deployment, enabling organizations to proactively manage network device configurations, improve compliance and manage risks. For example, security professionals can pinpoint which firewall rules are firing, which are not, and which ones could be removed to improve firewall performance and security. And with automated monitoring, organizations can quickly discover configuration errors that may leave them exposed to attack. Additional capabilities include multivendor configuration audits, risk/compliance policy assessments and advanced threat simulation.

Vulnerability management

For identifying and prioritizing weaknesses so security personnel can take corrective action before an attack occurs 

IBM QRadar Vulnerability Manager is another way to expand the proactive security capabilities of an existing QRadar deployment — enabling security teams to view vulnerability data within the context of network usage, security and threats. Designed to consolidate results from IBM and non-IBM vulnerability scanners, risk management solutions and external threat intelligence sources, QRadar Vulnerability Manager provides a centralized control center for prioritizing security gaps and weaknesses for resolution. It supports periodic and dynamic network security scans, and delivers a full audit trail for compliance reporting.

Incident forensics

For quickly and easily investigating the step-by-step of an attacker, and supporting quick and effective remediation after an attack occurs 

IBM QRadar Incident Forensics gives IT security professionals additional visibility into the "who, what, when, where and how" of a security incident. It helps eliminate the need for expensive, specialized forensics training, and offers an intuitive user interface capable of rapidly searching terabytes of network packet data. The solution incorporates an Internet-style search engine interface to help provide clarity around what happened. It also uses full-packet capture capabilities to obtain and reconstruct the data that was accessed or transferred. As a result, QRadar Incident Forensics helps to quickly investigate and remediate a network breach, and it can reduce the chances of data exfiltration or the recurrence of past breaches.

Incident response

For making security alerts instantly actionable, orchestrating processes and enabling security teams to provide a faster, more effective response 

IBM QRadar Security Intelligence Platform senses, detects and analyzes events that can be signs of an advanced threat. Integration with Resilient Systems enables the automation of response processes, and allows the generation of a playbook that makes security alerts instantly actionable, provides valuable intelligence and incident context, and allows security teams to quickly take action. Whether you're in a complex Security Operations Center or small-to-midsized team, you're well prepared to manage and resolve security incidents and business crises the moment they occur.


For expanding security capabilities using content downloaded from the IBM Security App Exchange 

The IBM Security App Exchange allows you to scale your QRadar deployment even further by extending its capabilities. This collaborative website contains applications that have been tested and approved by IBM, are available for download, and integrate with the QRadar management console. The site enables IBM, business partners, and customers to collaborate and share many things — including best practices, applications, dashboards, security app extensions and enhancements to IBM Security products — so organizations can respond to the latest security threats in near real time. 

Scale through collaboration

Cybercriminals share tactics on the dark web and beyond, so shouldn't the "good guys" collaborate, too? The IBM QRadar open framework enables you to scale your security measures through collaboration with the global security community. Using IBM QRadar application programming interfaces (APIs), you can easily integrate IBM and third-party solutions.

As mentioned earlier, the IBM Security App Exchange is the first place to find validated app extensions and enhancements for IBM QRadar. Your security teams can download and install the solutions independently — outside of official product release cycles. It's a great way to find industry —, threat —, device — and vendor-specific content for IBM QRadar.

What's more, the IBM X-Force Exchange enables your security teams to collaborate with IBM X-Force researchers and other security experts on the latest threat information. You can use the site to research threat indicators to see if they represent malicious activity, track and share evidence, and interact in private communities to develop stronger defenses.


As security threats grow increasingly sophisticated, organizations need to have the right analytics platform for predicting and prioritizing security weaknesses for mitigation or remediation. Deploying multiple, independent security tools and disparate point solutions is inefficient, costly and can leave dangerous gaps in security. And as an organization grows or new security intelligence capabilities are needed, security teams need technology that can adapt to the new requirements — rather than having to manage a costly, rip-and-replace migration.

IBM QRadar Security Intelligence Platform, powered by Sense Analytics, is designed to provide the fast, easy, cost-effective way to meet changing security needs. This integrated platform can scale over time in size, functionality and performance, giving you the power to act — at scale. Get IBM QRadar and stay a step ahead of attackers for many years to come.

For more information

Find out how integrated capabilities in IBM QRadar can meet your changing needs

About IBM Security

IBM Security offers one of the most advanced and integrated portfolios of enterprise security products and services. The portfolio, supported by world-renowned IBM X-Force research and development, provides security intelligence to help organizations holistically protect their people, infrastructures, data and applications, offering solutions for identity and access management, database security, application development, risk management, endpoint management, network security and more. These solutions enable organizations to effectively manage risk and implement integrated security for mobile, cloud, social media and other enterprise business architectures. IBM operates one of the world's broadest security research, development and delivery organizations, monitors 15 billion security events per day in more than 130 countries, and holds more than 3,000 security patents.

© Copyright IBM Corporation 2016, IBM Security, Route 100, Somers, NY 1058, Produced in the United States of America, May 2016 IBM, the IBM logo,, QRadar, Sense Analytics Engine, and X-Force are trademarks of International Business Machines Corp., registered in many jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available on the web at “Copyright and trademark information” at SoftLayer is a registered trademark of SoftLayer, Inc., an IBM Company. This document is current as of the initial date of publication and may be changed by IBM at any time. Not all offerings are available in every country in which IBM operates. THE INFORMATION IN THIS DOCUMENT IS PROVIDED “AS IS” WITHOUT ANY WARRANTY, EXPRESS OR IMPLIED, INCLUDING WITHOUT ANY WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND ANY WARRANTY OR CONDITION OF NON-INFRINGEMENT. IBM products are warranted according to the terms and conditions of the agreements under which they are provided. The client is responsible for ensuring compliance with laws and regulations applicable to it. IBM does not provide legal advice or represent or warrant that its services or products will ensure that the client is in compliance with any law or regulation. Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed, misappropriated or misused or can result in damage to or misuse of your systems, including for use in attacks on others. No IT system or product should be considered completely secure and no single product, service or security measure can be completely effective in preventing improper use or access. IBM systems, products and services are designed to be part of a lawful, comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products or services to be most effective. IBM DOES NOT WARRANT THAT ANY SYSTEMS, PRODUCTS OR SERVICES ARE IMMUNE FROM, OR WILL MAKE YOUR ENTERPRISE IMMUNE FROM, THE MALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY. “2015 Cost of a Data Breach Study: Global Analysis,” Ponemon Institute Research Report, May 2015.